Disable AWS Services using Provider Management APIs
Overview
This guide explains how to disable specific AWS services across multiple AWS integrations (providers) using the Veza API. Limiting AWS service extraction can reduce processing overhead, help teams focus on relevant services, or exclude analytics platforms like DATABRICKS that may not be deployed or required for visibility in Veza. This is particularly useful for organizations with many AWS accounts who need to disable unused services at scale.
In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:
Empty array
[]= All available AWS services are enabled for discoveryPopulated array = Only the listed services are enabled; all others are disabled
To disable specific services, you must populate the array with only the services you want to monitor.
Before you start
Before you update AWS provider services, ensure:
You have API access credentials for your Veza instance (see Authentication for API key setup)
You have the VEZA_TOKEN environment variable configured
You have the VEZA_URL environment variable set to your instance (e.g.,
https://yourcompany.cookiecloud.ai)You have appropriate permissions to modify provider configurations
You understand that empty services arrays mean ALL services are enabled
Disable specific AWS services across providers
Step 1: Discover your current AWS providers
First, retrieve all AWS provider configurations to understand your current setup:
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws"Understanding the response:
Providers with empty
services: []arrays have ALL services enabledProviders with populated
servicesarrays only extract the listed servicesNote the
id,name, andaccount_idfields for providers you want to modify
Example response structure:
{
"values": [
{
"id": "12345678-1234-5678-9012-123456789012",
"name": "Production AWS Account",
"account_id": "123456789012",
"services": [],
"state": "ENABLED"
},
{
"id": "87654321-4321-8765-2109-876543210987",
"name": "Development AWS Account",
"account_id": "987654321098",
"services": ["S3", "RDS_POSTGRES", "LAMBDA"],
"state": "ENABLED"
}
]
}Step 2: Identify target providers and services
Identify which providers to modify based on:
Provider names that match your AWS accounts
Account IDs that correspond to your AWS accounts
Current services configuration
Determine your desired services configuration:
Option A: Disable DATABRICKS only
{ "services": [ "REDSHIFT", "REDSHIFT_CLUSTER", "S3", "RDS_POSTGRES", "RDS_MYSQL", "RDS_ORACLE", "RDS", "DYNAMODB", "KMS", "EMR", "ORGANIZATIONS", "EC2", "SSO", "COGNITO", "LAMBDA", "EKS", "SECRETS_MANAGER", "ECR", "AWS_IAM" ] }Option B: Enable only specific services
{ "services": [ "S3", "RDS_POSTGRES", "LAMBDA", "EC2", "AWS_IAM" ] }Option C: Custom configuration
Review the available services list below
Create your own array with desired services
Step 3: Test with a single provider
Before updating all providers, test with one provider first:
# Replace with your actual provider ID and desired services
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"services":["S3","RDS_POSTGRES","LAMBDA","EC2","AWS_IAM"]}' \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"Verify the change:
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"Check that the response shows your desired services array.
Step 4: Apply to multiple providers
Manual approach (recommended for small numbers)
Update each provider individually using their specific IDs:
# Example for multiple providers - replace with your actual IDs and services
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'
# Provider 1
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$DESIRED_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_1"
# Provider 2
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$DESIRED_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_2"Bulk approach (for many providers)
Create a script for bulk updates. Use with caution as this affects all AWS providers:
#!/bin/bash
# Configuration - CUSTOMIZE THESE VALUES
VEZA_URL="https://yourcompany.cookiecloud.ai"
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'
echo "Starting bulk AWS provider services update..."
echo "Target services: $DESIRED_SERVICES"
echo ""
# Get all AWS provider IDs
provider_ids=$(curl -s -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws" | \
jq -r '.values[].id')
if [ -z "$provider_ids" ]; then
echo "Error: No AWS providers found or API call failed"
exit 1
fi
# Count providers
provider_count=$(echo "$provider_ids" | wc -l)
echo "Found $provider_count AWS providers to update"
echo ""
# Add confirmation prompt
read -p "Continue with bulk update? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo "Update cancelled"
exit 0
fi
# Update each provider
echo "$provider_ids" | while read provider_id; do
if [ -n "$provider_id" ]; then
echo "Updating provider: $provider_id"
response=$(curl -s -w "\nHTTP_STATUS:%{http_code}" -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$DESIRED_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/$provider_id")
http_status=$(echo "$response" | grep "HTTP_STATUS" | cut -d: -f2)
if [ "$http_status" = "200" ]; then
echo "✓ Successfully updated provider $provider_id"
else
echo "✗ Failed to update provider $provider_id (HTTP $http_status)"
echo "Response: $(echo "$response" | grep -v "HTTP_STATUS")"
fi
echo ""
fi
done
echo "Bulk update completed"Step 5: Verify changes
After updating providers, verify the changes took effect:
# Check all providers
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws" | \
jq '.values[] | {id: .id, name: .name, services: .services}'
# Check specific provider
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID" | \
jq '{id: .id, name: .name, services: .services}'Reversing changes
Re-enable all services
To return a provider to monitoring all services:
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"services":[]}' \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"Modify service configuration
To change which services are monitored:
# Example: Enable different set of services
NEW_SERVICES='["S3","LAMBDA","DYNAMODB","EC2"]'
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$NEW_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"Available AWS services
The following AWS services can be included in the services array:
S3- Simple Storage ServiceRDS_POSTGRES- PostgreSQL databasesRDS_MYSQL- MySQL databasesRDS_ORACLE- Oracle databasesRDS- General RDS serviceDYNAMODB- DynamoDB NoSQL databaseREDSHIFT- Redshift data warehouseREDSHIFT_CLUSTER- Redshift cluster managementEC2- Elastic Compute Cloud (virtual machines)LAMBDA- Serverless functionsEKS- Elastic Kubernetes ServiceECR- Elastic Container RegistryEMR- Elastic MapReduce (big data)AWS_IAM- Identity and Access ManagementKMS- Key Management ServiceSECRETS_MANAGER- AWS Secrets ManagerCOGNITO- User authentication serviceSSO- AWS Single Sign-OnORGANIZATIONS- AWS OrganizationsDATABRICKS- Analytics platform
Important notes:
Service availability may vary by Veza version and configuration
Some services may require specific permissions or setup
When in doubt, check your Veza UI to see which services are available for your AWS providers
See also
Last updated
Was this helpful?